Educause Security Discussion mailing list archives
Re: Annual Security Report
From: Nick Lewis <nlewis10 () SLU EDU>
Date: Mon, 6 Oct 2014 20:58:01 -0500
Hi Dan, We're still working on a monthly report to roll-up into an annual report, but I've been using these guides: National Association of Corporate Directors (NACD) Cyber-Risk Oversight Handbook http://www.nacdonline.org/cyber IT and cybersecurity oversight http://www.pwc.com/us/en/corporate-governance/annual-corporate-directors-survey/information-technology-cybersecurity-oversight.jhtml KPMG Cyber Risk Areas of Focus for the Audit Committee http://www.kpmg-institutes.com/institutes/aci/articles/2014/04/cyber-risk-areas-of-focus-for-the-audit-committee.html Information Security Resources for Presidents and Senior Executives http://www.educause.edu/library/resources/resources-presidents-and-senior-executives-information-security Hope that helps, Nick On Mon, Oct 6, 2014 at 9:08 AM, Sturgis, John (John Sturgis) <jsturgis () utk edu> wrote:
While researching this topic for a presentation, I found the linked materials helpful. Overview of the value/purpose of metrics Educause article, Cybersecurity: When Will We Know If What We Are Doing Is Working? [http://www.educause.edu/ero/article/cybersecurity-when-will-we-know-if-what-we-are-doing-working] Guide to selecting which metrics CIS Quick Start Guide for CIS Consensus Security Metrics v1.0.0, [http://benchmarks.cisecurity.org/downloads/show-single/?file=metrics_guide.100] The NIST approach to measuring security program maturity NISTIR 7358, Program Review for Information Security Management Assistance (PRISMA) [http://www.nist.gov/customcf/get_pdf.cfm?pub_id=50907] John P. Sturgis Audit and Consulting Services The University of Tennessee On Oct 6, 2014, at 9:33 AM, Dan Sarazen <dsarazen () BRANDEIS EDU> wrote: Good Morning All, I have a school that wants to develop an annual IT Security report for Audit Committee, but isn't sure what they want in the report. Has anyone out there developed an annual security report and already has chosen their metrics? If anyone has a template for their report that they are willing to share, it would be appreciated. Many Thanks, Dan Sarazen Sr. IT Auditor The Boston Consortium for Higher Education Dsarazen () boston-consortium org 781-296-4444
-- Nick Lewis Information Security Officer - Director, IT Security and Compliance ITS IT Security and Compliance Email: nlewis10 () slu edu - Phone: 314-977-1786
Current thread:
- Annual Security Report Dan Sarazen (Oct 06)
- Re: Annual Security Report Sturgis, John (John Sturgis) (Oct 06)
- Re: Annual Security Report Nick Lewis (Oct 06)
- Re: Annual Security Report Sturgis, John (John Sturgis) (Oct 06)